[c-nsp] Sup720 CoPP, limits on CPU performance
Saku Ytti
saku at ytti.fi
Tue Mar 23 09:17:03 EDT 2010
On (2010-03-23 08:56 -0400), Chris Griffin wrote:
> The testing I did was about a year ago, but as I recall, with our
> default deny any policy, traffic to hosts with no current ARP
> adjacency would fail. As soon as the glean rate limiter was
> enabled, traffic started to flow normally. Further tested
> demonstrated the limitation with ACL behavior and due our heavy use
> of outbound ACLs, we elected to track each interface IP in an object
> group and apply heavy deny policies to those bits while allowing
> glean and other unclassified traffic to hit a rate limited permit
> policy.
If the glean rate-limiter bypasses software CoPP, as it seems to do, why
would you opt not to use it? Do you want to give priority to some glean
traffic to avoid possible DoS scenario where legit hosts can't be gleaned
due to attack.
--
++ytti
More information about the cisco-nsp
mailing list